Android_for_Work

Inspecting Google Android for Work
Deepak Bawari
Darmstadt University of Technology
deepak.bawari@stud.tu-darmstadt.de
Saba Sabrin
Darmstadt University of Technology
saba.sabrin@stud.tu-darmstadt.de
Abstract
Mobility has become one of the crucial requirements for any enter-
prise in the todays world. With the inculcation of smartphone tech-
nology, business-critical applications could be readily provisioned
to a mobile device. Ease of use, availability and security are some
of the major requirements when we speak about business mobility.
Android, a powerful operating system for smartphones, is target-
ing business mobility with the perspective of having one device for
both personal and for business use. With the concept of bring your
own device, Android offers to cover personal leisure and business
context in a single platform. In this paper, we will do an extensive
study over android for work the concept and how it is realized,
with concrete examples from business solution who are offering
this platform. We will also shed some light over the history of An-
droid and how it has evolved over years.
Keywords Android, Android for work, BYOD, EMM, MDM
1. Motivation
With rapid advancement in mobile technology including smart-
phones, tablets and other devices has created a sagacious impact
on the society. Every year the number of smartphone users is in-
creasing at a tremendous rate. This smartphone revolution has also
created a profound effect on wide range of business as well [2].
Only a few years ago, the usage of mobile devices coupled with net-
working capabilities was quite expensive and was limited to busi-
nesses whose model was entirely distributed or mobile. As the mar-
ket evolved the cost for such adoption became cheaper and more
and more organizations started to inculcate mobility in their busi-
ness model. Delivering the right information to the right person at
exactly the right time and place so that they can meet and exceed
customers’ expectations is the promise of enterprise mobility. As
the mobility was on the rise, consumers in any organizations were
overwhelmed with multiple mobile devices for business and per-
sonal use. This led employees wanting to bring their personal de-
vices with them to work and use them in a business context. This
phenomenon is referred to as BYOD (bring your own device) has
itself created a number of challenges for businesses who want to
support this trend to help their users be more productive yet at
the same time want to ensure security and accountability for the
handling of sensitive company data and information as it leaves
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from permissions@acm.org.
, .
Copyright c 2015 ACM 978-1-nnnn-nnnn-n/yy/mm...$15.00.
http://dx.doi.org/10.1145/nnnnnnn.nnnnnnn
the office [3]. It is true that mobility has revolutionized businesses
and contributed towards maximizing profit across the organization,
however it has raised new areas of concerns regarding security and
integrity of business-critical data.
2. Introduction
Smartphones have evolved at a tremendous rate over the past
decade from hardware components to software we have seen a stu-
pendous increase in the usage of smartphones and their capabilities.
A smartphone is a device which combines features of a cellphone
and a mobile device such as media player, GPS navigation, camera
and much more. The amalgamation of features, to provide a uni-
fied view to the user, is realized through an operating system which
sits on top of the smartphone hardware. The first mobile phone to
incorporate PDA (personal digital assistant) features was an IBM
prototype developed in 1992, which got commercialized in 1994
and was sold under the name Simon. Having features like fax, e-
mail and calendar, Simon marked the first step towards the era of
smartphones. With the advancement in hardware and computing
power of handheld devices the need for powerful mobile operating
was on the rise. In the year 2000, Symbian became the first mod-
ern mobile operating system which was widely used by Nokia and
became a huge success. Following the launch of Symbian, many
vendors came into the picture with their own mobile operating sys-
tem e.g. Microsoft Windows CE (2002), Blackberry (2002) and
Apple (2007) which also marked the beginning of multi-touch in-
terface devices. Furthermore, year 2007 witnessed the beginning
of Android era, technical giant Google along with other companies
like HTC, Sony, Dell and more formed Open Handset Alliance
(OHA) and following next year the very first version of Android
was launched in the market [5]. Initially, with established com-
petitors in the smartphone market, Android was not the centre of
attraction. However, it is now one of the most widely used mobile
operating system with an impressive number of users around the
globe, which will continue to rise as the numerous advancements
and on-going research.
Android is a mobile operating system based on Linux kernel and
is currently managed by Google Inc. Since its early years, Android
is continuously progressing and encompassing new class devices
such as tablets, interfaces for smart televisions, cars and other ubiq-
uitous devices. Android Inc. was founded in the year 2003 with the
initial aim of developing a user interface for digital cameras. Later
on, it was acquired by Google where, initially, the focus was di-
verted towards smart devices i.e. mobile phones and tablets. The
very first Android version, built on Linux Kernel version 2.6.25,
was launched with collaboration with HTC (the very first com-
mercially available Android-based smartphone). Android operat-
ing system source code is released under Google and Open-Source
licenses which has attracted a large community of developers to
work towards the advancement of the Android platform. Due to its
open nature Android operating system is quite favored by vendors

looking for cost efficient and customizable mobile operating system
solution. Due to its open nature Android is increasingly becoming
the choice for many organizations where mobility is a crucial as-
pect of buisness model. Varying from every 6 to 9 months, Google
provides major upgrades for the Android operating system which
are propagated to the users end device. Since its first appearance in
the market, there have been in total 10 versions of Android.
One of the key features of the android is the application stack,
which not only relies on in-built applications but can be readily
extended via third-party applications as well. Device functional-
ity could be greatly improved and tailored according to the user
need. Android applications are primarily written in Java program-
ming language and could be built using different development en-
vironment. This was made possible with the use of Dalvik virtual
machine which facilitates the execution of an application written
for android. Initially Android programs were commonly written
in Java and compiled to bytecode for the Java virtual machine,
which is then translated back to Dalvik bytecode and stored in
.dex (DalvikEXecutable) and .odex (Optimized DalvikEXecutable)
files. However, after the release of Android 4.4, Dalvik was re-
placed by ART (Android Runtime) which is an application runtime
environment. Android Runtime introduced the concept of ahead-
of-time (AOT) compilation by compiling entire applications into
native machine code upon their installation.Along with it improved
overall efficiency and low power consumption, ART also provides
faster execution, improved memory allocation and garbage collec-
tion mechanisms and new applications debugging features. An-
droid has a growing market for third-party frameworks and appli-
cations which sits on top of the conventional Android OS. All the
third party applications are deployed in a market place, popularly
known as play store which can be accessed from any android de-
vice, where all the third-party application can be browsed and in-
stalled by downloading the application package files. Applications
could be of a varied nature, ranging from education, games, health
and much more. Applications also make use of the available sensors
which hardware offers and can be exploited through the operating
system e.g. bio-metric sensor for health-related applications, gps
for navigational application and much more. In this paper, we will
target mobility and how Android for Work is targeting to achieve it
[6] .
With a wide range of offerings of applications, Android has up-
scaled the productivity of business and organizations. With enter-
prise related applications readily available on mobile devices, em-
ployees can access information [6]. As smartphones has increased
mobility in an enterprise, it has also added a stack of hardware in
the employees pocket. The curse of two phones we all seen or have
experienced this technological segregation where on one hand we
have our own personal smartphone and on the other hand we carry
business specific smartphone. Enterprise mobility management is
one such domain which targets the management of mobile devices
and related services which enable the use of mobile computing in
a business context [8]. With strong policies spanning authentica-
tion, encryption and remotely managed services - enterprise mo-
bility management targets the mobile platform to be robust, secure
and easy to manage. However, the curse of two smartphones was
not diminishing, the added stack only led to the end-user frustra-
tion. Google presented a solution for this answer - Android for
Work, starting from upgrade 4.0.X (KitKat) Android offered a com-
mon platform to be used as personal and business related scenario
. The goal is to provide a unified view over a single device, bear-
ing in mind the separation of concerns of both the scenarios. An-
droid for work provides an extra stack of application which can
be accessed from your personal Android device and which can be
managed remotely through an admin console. Android for Work is
a program working with device manufacturers, application devel-
opers and management solutions to deliver standardized security
and management capabilities, new productivity features, and sep-
aration of work and personal data. Before Android for Work was
introduced into the market there were already EMM suites e.g. Air-
Watch available in the market as a standalone solution for mobility
in enterprises. However, with advancement in research Google has
setup new standards for Android for Work in the industry in terms
of both usage and security. This has led vendors to revise their ex-
isting solution in compliance with the new security, management
and productivity features offered by Android for Work.
The remainder of the paper is organized as follows. In section
III and IV we will further discuss about Android for Work and it’s
features respectively. Later in section V we will discuss about the
application development techniques using Android for Work. Fur-
thermore, in section VI we will discuss some of the existing enter-
prise solutions in the market based on their popularity and offer-
ings. Lastly, we will conclude this study in section VII describing
how Android for Work could be beneficial for any enterprise seek-
ing to involve mobility in their buisness model.
3. Overview
We already know about the Android operating system and different
Android based devices. From the previous section, we can easily
assume the purpose and need of Enterprise solution for any organi-
zation. Before we deep dive into the feature details and other fea-
tures, some initial and basic concepts which mostly accelerated the
background of Android for Work are described below.
3.1 Bring Your Own Device (BYOD)
This new trend is also known as Bring Your Own Technology
(BYOT), Bring Your Own Phone (BYOP) or Bring Your Own
PC (BYOPC). This idea basically refers to the policy of permit-
ting employees to bring their own personal devices like smart-
phones, tablets, laptops to their workplace and thus able to ac-
cess and use company privileged information and applications. This
phenomenon is commonly known as Information Technology con-
sumerization. BYOD was introduced for the first time for common
use purpose in 2009. The idea was proposed by Intel due to the
higher usage of personal device at workplace and connecting them
to the corporate network. This term also applies the same kind of
settings for the student to bring their own device in the educational
institution for study or work purpose. BYOD is making significant
ways in the business market, with about 75 percent of employees
in high growth markets such as Brazil and Russia and 44 percent in
developed markets already using their own technology at work [4].
IBM has successfully owned this idea of bring your own device and
thus allows their employees to work with their own devices. This
decision made by IBM was due to perceived productivity gains and
cost savings.
3.2 Mobile Device Management (MDM)
This term indicates mainly dealing with the administrative tasks of
deploying, securing, monitoring, integrating and managing mobile
devices, such as smartphones, tablets, laptops and desktop comput-
ers. Basically MDM functionality can include basic distribution for
applications, data and critical configuration settings for all types of
mobile devices. MDM is more about basic device management is-
sues and less about the mobile platform itself. MDM tools are used
both for company owned and employee owned (BYOD) devices
across the enterprise. MDM can reduce support cost and business
risk by providing more control and protection over the data and
configuration settings for the mobile devices [12]. The target usage
of this technology is to optimize the functional and communicative
structure of the mobile networks while minimizing downtime and

cost. Nowadays mobile marketing is flooded with different MDM
approaches. Numerous vendors and partner companies are helping
mobile device manufacturers to build more sophisticated MDM so-
lutions while providing better optimization on data security, deliv-
ery of the mobile content, applications and services.
There are a lot more concepts working behind and related to An-
droid for Work that will be described in the later sections depending
on the demand of topics. Now some techniques which worked as a
backbone and motivation on building the Android for Work tech-
nology is discussed below.
3.3 Samsung Knox
It’s an enterprise mobile security solution. The name, Samsung
Knox, is derived from Fort Knox. It provides security features that
enable business and personal content to exist at the same time on
the same handset. To elaborate this feature, we could say that if
an user presses an icon that switches from Personal to Work use
with no delay or reboot wait time. Samsung has claimed initially
about this feature which is completely compatible with Android
and Google. Later on they decided to build the workaround which
will provide complete separation of work and personal data on
mobile devices with added solutions for all the major security gaps
in Android. Basically, The Knox service is part of the company’s
”Samsung Approved For Enterprise” (SAFE) offerings for different
smartphones and tablets [10].
3.4 Sandbox
It is a security mechanism to separate running programs based on
device copyright and third party programs. It provides a platform
for executing untested, unverified or untrusted programs from third
party vendors, untrusted users and possibly untrusted websites. The
idea behind Sandbox is, it normally set or defines some resource
to run the third party or guest programs, such as scratch space in
disk or memory. Scratch space is a kind of resource inside any
operating system that is dedicated for only temporary storage [11].
Scratch space is never used for permanently backup data. Scratch
disk can be set in a way so that all the data inside that disk space
is deleted after a regular time interval. This is the reason why
this mechanism is used to run the third party apps. A Sandbox
is completely implemented by executing the guest applications in
a controlled and limited operating system environment and thus
restricting the use of resources (like disk space, files, memory, and
system space) that a process may use.
4. ANDROID FOR WORK: Features
4.1 Android for Work Basics
Android for Work is a new software platform that separates busi-
ness applications from personal applications [7]. Android for Work
was first announced in June 2014. The intention behind this tech-
nology is to put an end to people carrying around separate devices
for work and personal use. The idea is to create a Sandbox on ev-
ery Android device, where users can securely use all their business-
approved apps. Mainly, Android for Work is an Enterprise Mobility
Management (EMM) platform that lets companies deliver a secure,
productive, and rich mobile experience to their employees. Google
has also launched a dedicated app store Play for Work to allow
companies further of distributing apps securely inside the organi-
zation and also gives the control to manage the updates remotely.
The basic Android for Work can be used through an app provided
by Google Play if the intended device is using Android version 4.0
(Ice Cream Sandwich) to 4.4 (KitKat) and if the company you are
working on is enrolled as a partner or consumer under Googles
Android for Work. This is the minimal requirement to use the work
profile features using Android for Work. Devices with Android ver-
sion 5.0 and higher have native support for running work profiles.
They don’t need to be executed through any specific app like ear-
lier versions. These work profiles can be administered and managed
from the Android for Work’s Enterprise Management Console. All
these in-built features will be discussed in the feature sections. An-
droid for Work offers the best features as a platform and service to
the enterprises and organizations. [14].
In this section we are going to discuss about the Android for
Work related features which allows business users to create a ded-
icated work profile across all their Android devices that isolates
enterprise data and protects sensitive data [15].
4.2 Management Features
There are features of Android for work that clearly separates the
usage of work and personal data of users. But, the mechanism
which allows that user data management has some defined way of
achieving those features.
4.2.1 Support for Provisioning
Usually an enterprise employee needs to carry more than one de-
vice for their personal and business works. But, on the other hand
Android for Work has provided the flexibility of working on only
one device for both personal and professional purpose. Organiza-
tion can provision on company-owned devices or they can easily
configure work profiles on employee-owned devices. The provi-
sioning can be done both locally or remotely by enterprise admin-
istrator.
4.2.2 Policy Control and Remote Management
Administrator of Android for Work has the authority of control-
ling all kind of work related policies and can setup new rules or
regulations for users. New policies could be anything starting from
application access related policy to data monitoring policy. Admin
can control all the applications remotely for Android for Work, can
change the policy anytime and can wipe off the user data from the
applications without touching the device owners personal data.
4.2.3 Divide Productivity Suite
There is also an option for them who does not use Android for Work
they can alternatively use a full suite of productivity apps specifi-
cally designed for Android for Work. This is the suite which in-
cludes all kinds of business apps. The application types are mostly
email, calendar, contacts, tasks and download management.
4.3 Security Features
As of Android for Work apps are a part of Android system, they by
default inherit the basic features of Android system like SecureOS
services and many others. Following are the details regarding some
basic security features of an Android System.
4.3.1 Security and Data Separation
The devices using Android 4.3 or higher uses cryptographic ser-
vices based on the SecureOS to provide device based encryption
facility. Device Encryption is the process of encoding user data on
an Android Device with the help of an encrypted key. All user data
is encrypted before saving it on the device storage when a device is
encrypted and every time the data is decrypted and returned based
on read operations of a process call inside the system. The Key-
Chain API provides ability for Android applications to create such
keys that can not be exported and thus apps are exposed to provide
maximum data protection. Data encryption ensures on the higher
level that all business data and personal data stays safe from the
inside and outside environment [18]. Android device encryption is

based on dm-crypt which is provide bz the kernel itself. Android
5.0 introduced new encryption techniques to avoid longer booting
time of Android device, added support on without password based
encryption and hardware backed storage of the encryption key. The
Google Android team works very closely with wider security re-
search communities around the globe to share their ideas, follow-
ing the best practices and continuously checking for improvements
[18].
4.3.2 Application Security
Any Android for Work app has the similar security features like a
normal Android app. Applications are an integral part of the mobile
platform and downloading old or new applications is a very normal
situation. The basic security features are provided by running the
applications automatically inside the Sandbox. Android platform is
based on the Linux OSs kernel. So, it always takes the advantage of
the Linux based device environment protection mechanisms. Such
as identifying and isolating application resources. Android system
usually assigns a unique user ID to every installed application on
the device and runs the application as a separate process. Every
application has different user permissions and this is one of the
most unique features of the Android system.
Application Signing is another process of providing security in
Android system. Android system has setup rules that all apps need
to be digitally signed with a certificate before they can be installed.
Android basically uses this certificate to identify the application
developer of that particular app. Also when there is any bug fix or
updates for that same app, Android match the certificate to check if
its a valid application update or not. Google Play Store also plays a
significant role on providing a dedicated repository for publishing
and managing all Android apps from the same place.
4.3.3 Network Security
Android normally provides data-at-rest security for protecting in-
formation inside the device. At the same time, Android also pro-
vides security for data-in-transit to protect data sharing among An-
droid devices. Android uses Transport Layer Security (TLS)/Secured
Socket Layer (SSL) to access data over the Internet for web brows-
ing, email, instant messaging and other internet gaming or web
related apps. The WPA-2 enterprise protocol supports AES-128
encryption which has been introduced to Android 5.0 to provide
highly secured data transmission over the WiFi for corporations
and their employees. Android supports different 802.1x Extensi-
ble Authentical Protocols (EAP) like EAP-TLS and others. But,
on Android 5.0, EAP-SIM protocol was introduced. Android sys-
tem supports the use of VPN too [18]. There are multiple ways of
handling VPN connections in Android based on the user activities.
Different VPN accesses are described below:
Always-on VPN: This type of VPN configuration restrict the
applications to access the network until a VPN connection is es-
tablished. This also prevents apps to send and receive data over the
network.
Per User VPN: This configuration allows to define VPN set-
tings for each Android user on multiuser devices so that all network
traffic could be routed through single VPN without affecting other
device users.
Per Profile VPN: It can also be applied on per Work Profile
based which allows the IT Administrator to control the enterprise
network traffic to be gone through the enterprise Work Profile VPN
and not the user’s personal network traffic.
Per Application VPN: This kind of configuration has been
newly introduced to Android 5.0 devices which provides the sup-
port of VPN connection on allowed applications and prevents VPN
connections on disallowed applications.
The Android Security team built a tool called nogotofail to pro-
vide the confirmation on devices and applications that they are safe
against the all known TLS/SSL vulnerabilities and misconfigura-
tions [18].
4.3.4 Device and Profile Management
Android 5.0 introduced the concept of a Device Owner and Profile
Owner to support the Android for Work apps and the enterprise
features which is directly reflected by the Bring Your Own Device
(BYOD) concept. The concept of Managed Profile is based on
the Android’s multiuser concept which was initially introduced in
Android 4.2 (API 17) [18]. A Device Owner uses the corporate
owned devices and a Profile Owner is basically configured through
the Work Profile management and their respective policies. An
Android User points to a different physical person in this scenario
and has their own application data, User Interface (UI) and also has
the options to switch in between them. One user can be running in
the background while another user is active. The main purpose of
this work profile handling is to isolate each user’s data. There are
basically two types of Android users, Primary User and Secondary
User.
Primary User: This is the first user which is usually added to
the Android device and can not be removed while the device is in
use except the system factory reset. The Primary User is always
running in the background still when other users are using the
device.
Secondary User: This type of users can be added to the device
after the Primary user is already configured. A secondary user could
be removed by themselves or by the Primary User and have no
impact on other users inside the device. There are some restrictions
on using the device for the secondary user sometimes if the Primary
user is on the foreground. This was the base for building profiles for
Android for Work apps. We will discuss about Managed Profile and
Device policy control in the later sections.
4.4 Application Features
4.4.1 Simplified Application Deployment
Google Play has an option of providing Administrator (Admin)
privilege for the solutions of Android for Work. There can be appli-
cation managers for an enterprise who can have the Administrator
privilege and thus can control the easy deployment of applications
inside any Android for Work device. Only Registered Android for
Work Administrators can access the Play for Work. Basically this
feature provides the following functionality for the Admin [14].
1. Search Free Apps
• Special login needed to access the Play Store for Work-
groups. There is a selection of free productivity apps from
where the Admin can authorize the apps to be used inside
the organization. For better searching there is an app catalog
of Play for Work.
2. Approve Free Apps for installation by users
• After logging inside the Play for Work, Admin can select
one or multiple apps and approve it. Then using the Enter-
prise Mobility Management (EMM) Console, Admin can
assign the app to users, so they can install it inside their de-
vice under Android for Work app list.
3. Remove Free Apps from the list of approved apps
• Any apps can be remotely removed from any users device.
For this the app must be removed from the approved apps
list using the EMM Console. If an app is removed from the
list of approved apps then user who previously installed that

app will not be able to continue their operation with those
particular apps anymore.
4. Distributed Android Applications
• The Google Play private channel for Google apps basically
allows Google app domain to distribute internal android ap-
plication to their users through Google Play Store. Basically
Google Play Store has various type of domains and a Google
App for work, education or government can have a private
channel to access those apps from the Google Play Store.
The Google apps domain administrator allows domain users
to register with the Android Developer Console to publish
different android application on their private channel [17].
The Google Apps domain administrator can also restrict the
access of user or user groups to private channel for down-
loading internal applications. The Google store provides all
the common features for application publishing, virus and
malware detection, device targeting, payment, user rating
and user feedback.
4.4.2 Seamless User Experience
User experience in Android devices is continuous and hassle free
with the entire flexibility user can think about. It lets user to intu-
itively and effortlessly switch between personal and work apps at
the same time. Android has the capability of running multiple ap-
plications all together and previously it has reported almost very
less issues with the user interactions. Android for Work offers so-
lutions built with it by providing a launcher and user can start any
kind of applications with the help of that. Business or Work apps
and other personal apps appears on the same list of launcher, but
the only distinguishable feature is that all the Android for Work
app has an extra badge on the app icon.
5. Android for Work: Application Development
Android Framework provides features to support the security, data
separation and administration needs of an enterprise environment.
An organization can make more appealing apps with the help of
application developers who can modify or reconstruct some parts
of any Android for Work application. The modified apps could per-
form great to corporate customers when all the features of the app
are handled depending on the enterprise requirement. An app de-
veloper can enforce the enterprise security or change the feature
restrictions or maybe change some of its User Interface informa-
tion. The app can also be modified in a way so that the technology
administrators could remotely configure the enterprise resource in-
formation inside the apps [19]. Android for Work usually offers a
suite of APIs (Application Programming Interfaces) and services
for device distribution and administration with the help of Enter-
prise Mobility Management features. Basically this EMM technol-
ogy helps to integrate Android for Work apps with the enterprise
business structure.
5.1 Ensuring Compatibility with Managed Profiles
The Android platform has an usual support for Managed Profile.
A Managed Profile is basically a work profile which supports of
provisioning business data among work profiles. As of this is one
of Android for Works main features, this functionality basically lets
the administrator to control managed profile across any app. This
managed profile functionality is to be set by the admin separately
from the primary functionality of the users profile. This approach
basically gives control to the enterprise to control the application
environment and able to separate the company-specific data and
personal data of user. Then it runs the work apps and users personal
apps smoothly on the device while still letting users to use their
personal profile. Initial requirement which allows enterprises to
work with Managed Profile is Android version 5.0 with API Level
21 [19]. An Android API Level means the version related features
to be used inside that particular API. Following are the implications
and rules for configuring Managed Profiles.
5.2 Prevent Failed Intents
Before talking about Failed Intents, we should know what actu-
ally Intent is. Its an application development component. Intent as
its name implied, declares an intention to do something, such as
to perform some actions or operations depending on the user re-
quirement. Intents can notify the application about a specific event
either generated from the app itself or from the Android System.
The Figure [1] depicts how Intent is used to send a message from
one screen (Get Message) to another one (Display Message) and
thus starting the second screen with the help of Intent firing.
Figure 1. Intent Example with Message sending implementation
As of Intent works internally by invoking some events or tasks,
usually Intents don’t cross from one profile to the other. There are
restrictions on these activities inside any Android app regarding
Intent. In Most of the cases, when an Intent is fired off, its handled
on the same profile. If there is no handler to take care of the event
then the app may shut down unexpectedly or show some abnormal
behavior. So, gradually it may result a Failed Intent. The profile
administrator can define which Intents are allowed to cross from
one profile to another. Since everything is initially configured by
the administrator so there could be no possible ways to know which
Intents can cross the boundary. The administrator sets the policy
and at the same time have the rights to modify the policy anytime.
5.3 Share Files Across Profiles
Managed profile handling has the option of restricting access to
apps regarding file sharing between profiles. For example, an image
gallery app inside the Android device might request to access its
images with Image Editors. There are two ways the files are usually
shared inside the device: a file URI or a content URI. A file URI
is nothing else than sharing the files absolute path on the devices
storage. But as of the managed profile and the personal profiles
use separate storage area, a file URI which is valid on one profile
becomes invalid on the other. But, using content URIs, this problem
can be resolved. Content URIs identifies the file in a secured and
shareable manner. It contains the file path and also the authority
that provides the file which is identified by an ID number. This is

called Content ID. This ID is shared among the apps for further
access between managed profile and others.
5.4 Implementing App Restrictions
Applications developed for enterprise market under Android for
Work may need to meet particular requirements defined by the
companys policies. Different sort of applications restrictions allows
the enterprise administrator remotely configure those company pol-
icy settings as restrictions. This ability of Android for Work apps
are useful to be deployed under managed profiles. For example, an
enterprise might require these functionality which allows the en-
terprise administrator to: List users who are sharing more contents
via cellular or just by Wi-Fi, to configure user setting for file ac-
cess and emails, to configure fair data usage policy or other related
configurations.
6. Android for Work: Integration with System
and Enterprise Environment
The entry point within the integration features between Android
for Work and the enterprise system basically starts though the
Google Admin Console. The Google Apps Device Policy and app
administration inside the system device is described below.
6.1 Building work policy controller
Inside an Android for Work deployment, a policy controller is
the most important thing to handle. Because, an enterprise often
needs to maintain certain aspects of the employees devices and
monitor them carefully. The main focus is the same to partition the
business and personal data of employee. Sometimes functionalities
like restricting device capabilities are also needed to be applied.
Such as, device may not be allowed to use camera or GPS abilities.
Using the restriction features enterprise administrator can easily
setup these policies and can be turned on or off depending on
the requirement. A Restriction does not mean to restrict the app
functionality, it implements a wide range of configuration options
to restrict the device abilities of using Android for Work profiles
and other app features. To perform these tasks, an enterprise needs
to build and deploy a Work Policy Controller app which should
be installed in each employees device [19]. The controller app
basically has some functionalities such as, creating a work user
profile, being the Gateway between the enterprise management
software and the Android for Work used devices; Whenever the
enterprise configuration changes, it connects with the controller app
to synchronize the particular settings for the device and for other
apps. The Work Policy Controller app helps the enterprise to handle
business data separately from the users personal profile which is
the main focus of the app. The enterprise administrator sets these
policies with the software provided by their Enterprise Mobility
Management (EMM) provider. Basically, the EMM app connects
with the Work Policy Controller app and makes new configurations
or changes them. All these operations are basically carried out by
the device administration applications for device management.
In the Android for Work deployment, the enterprise administra-
tor sets all the policies and controls the behavior of the employee’s
devices and apps both. Setting up the policy for the whole orga-
nization is self-explaining. Such as, setting an expiry date for de-
vice passwords and limiting the frequency of changing passwords
could be controlled. Some more scenario could be, Work Policy
Controller app can set a policy which will lock the users device
after a certain number of failed login attempts. The controller app
communicates with the EMM to find the defined device policies for
the users device take actions according to that. For this scenario, it
will use the Device Administration API to apply the policies. Work
Policy Controller app usually receives restriction changes from the
administrator and forwards the changes to the apps.
7. Enterprise Solutions using Android for Work
To meet the needs of their end users and IT departments, organi-
zations are looking for a scalable solution for Enterprise Mobility
Management (EMM). Smartphones and tablets have changed the
way the end users deal with applications and content in their daily
lives. Now they expect a similar mobile experience in the work-
place - burden of owning multiple devices for different perspec-
tive. To target such expectations, IT admins must allow employ-
ees to access business critical applications on the device of their
choice while ensuring the security and integrity of the organization-
specific data at the same time [25]. Therefore, organizations need
a solution with provisions for access control and authentication
for enterprise applications covering private and corporate devices.
An Enterprise Mobility Management suite consists of policy and
configuration management tools and provides a management layer
for applications and content. Android for Work utilizes the idea
of EMM and provides functionalities such as inventory manage-
ment(hardware and software), OS configuration management, mo-
bile app development along with change and congifuration, remote
action execution and mobile content management. In this section
we will discuss some current solutions available in the market. We
have chosen the vendors based on their position in the market [26];
from top trending players to upcoming solutions in the market. We
have also described the offerings along with some areas of con-
cern which needed to be taken into account before deciding the
best available option in the market.
Figure 2. EMM Solution
Figure [2] depicts how Android for Work is realized through an
external vendor solution which sits in between as an overlay layer
which manages applications and related operations on multiple
enterprise mobile devices through a single platform which is used
by IT administrators.
7.1 Absolute Software
Absolute Software provides EMM functionality incorporated in
their existing solution such as device-tracking and client-management.
Absolute Software has a wide presence in education and govern-
ment sector. Their product Absolute Manage providesa unified so-
lution for managing devices across multi platforms i.e. iOS, An-
droid and Windows phone. With one console IT admins can deploy

and manage enterprise applications on different platforms. Below
mentioned are some of the crucial features provided by Absolute
Manage [27]:
Application and License Management IT admins can readily
deploy applications and their licenses as per user profile. Addition-
ally, detection of missing application in a particular suite and its
remote installation is also made possible. Absolute Manage also
monitors the usage and prevents authorized activity i.e. separa-
tion ofbusiness and personal app container. Application can also
be silently removed and re-deployed as per policies defined in the
system.
Security, Change and Configuration Management Allows for
remote monitoring and enforcement of configuration policies and
use the monitored data to Impose enterprise level security including
automated BYOD device enrolment and employee opt-in, policy-
based actions automate IT commands to turn off roaming, demote
a device to unmanaged status, IT alerts, etc. based on predefined
conditions, manage and deploy profiles (configure email, restrict
apps, disable cameras) and generate unique certificates per user to
authenticate Exchange email access(versus traditional passwords)
for a much higher degree of security, an improved end user expe-
rience, and a significant reduction in password related security and
help desk incidents.
Automated Patch Management Targets the security vulnerabil-
ities imposed by viruses, worms and other cyber thtreats through
centralized management and deployment of security patches along
with added functionalities like tracking and system-wide policies
configuration. Also, updates could be monitored and propagated
from a centrally managed entity.
Limitation Despite strong offerings, Absolute Software appli-
cation management features are still in elemantry stage due to lack
of advanced SDK and wrapping capabilites. Also, it doesn’t imple-
ment or offer any self-service portal for users to for users to locate,
track, wipe and manage their devices [26].
7.2 AirWatch
Since its acquisition in 2014 by VMWare, Airwatch exists as one
of the most robust solutions in the enterprise mobility management
category. AirWatch is a best suited for organizations looking for a
comprehensive EMM feature set on a broad range of platforms. It
aims to provide a scalable enterprise mobility management plat-
form that integrates with existing enterprise systems and allows
you to manage all devices, regardless of type, platform or owner-
ship, from one central console. AirWatch provides a single console
built on top of a single code base which allows it to manage cross-
platform devices and makes it easier for IT admins to regulate and
monitor activities spanning mobile devices and other platforms uti-
lizing enterprise applications [28] . Some major features are men-
tioned below [29]:
App Container AirWatch App Container provides complete
separation of buisness and personal data on devices (personal or
corporate), securing corporate resources and maintaining employee
privacy. With separation of concerns, containerization enables or-
ganizations to standardize enterprise security and data loss preven-
tion strategies across mobile devices.
AirWatch Mobile Device Management Allows the administra-
tors to gain top down view on the devices which connect to the en-
terprise network, content and resources. It facilitates to quickly en-
roll devices in your enterprise environment, update device settings
over-the-air, and enforce security policies and compliance across
your entire device fleet.
AirWatch Mobile Content Management Secures document dis-
tribution and promotes content collaboration anytime, anywhere
with AirWatch Content Locker. Access your corporate content in a
secure container with advanced data loss prevention policies. Pro-
mote collaboration with editing, annotation and commenting capa-
bilities for shared fi les.
AirWatch Mobile Email Management Provides comprehensive
security for your corporate email infrastructure. With AirWatch,
you can control which mobile devices access email, prevent data
loss, encrypt sensitive data and enforce advanced compliance poli-
cies. Containerize email and provide a consistent user experience
with AirWatch Inbox, a secure email client.
AirWatch Telecom Management With this feature AirWatch
enables enables IT to easily monitor data, voice and roaming usage
alongside devices from the admin console. With AirWatch in ac-
tion, IT has insight into telecom usage to help save time, money and
resources. Roaming restrictions, automated compliance enforce-
ment and self-service options for end users simplify telecom man-
agement for IT.
Limitation As published in Gartner, there were issues reported
pertaining to usage Secure Content Locker and Inbox email ap-
plications. Additionally, there have been issues with app wrapping
issues with support and stability.This has led to many organiza-
tions,relying on AirWatch, to limit the solution only for MDM and
mobile application management.Also, With the latest release, 7.1,
AirWatch has limited its solution only to cloud customers. There-
fore, if immediate software updates is a selection criterion, consider
only the cloud offering [26].
7.3 Globo
Globo has proved itself to be one of the major solution providers in
the enterprise mobility management sector. Its enterprise mobility
solution covers diverse platforms and offered via software as a ser-
vice or on-premises option. What makes Globo a stand-alone prod-
uct in the market is added feature of ”Mobile App Development”
[31] . The enterprise license includes a core set of Secure personal
information management (PIM), collaboration and productivity ap-
plications, and a secure content container under a single license.
Globo is a good fit for organizations looking for a single product
that provides Mobile App Development and EMM. Below men-
tioned are some main features as a part of the EMM solution [30]
.
GO!Enterprise Workspace Similar to conterization in Air-
Watch, enterprise workspace allows all corporate apps, data and
content to be collected together inside a secure ’container’ on the
device. Everything inside the GO!EnterpriseWorkspace is secured
with FIPS certified AES 256-bits military grade encryption and
access is controlled through strong user authentication measures.
GO!Enterprise Office It’s a mobile office productivity solution
which enables secure and controlled access to enterprise informa-
tion like email, contacts, calendar, tasks and notes from any mobile
device. Employees can securely access the corporate file systems,
as well as the corporate intranet and any other internal web applica-
tion through the secure mobile browser of GO!Enterprise Office. It
is ideally suited for the implementation of Bring Your Own Device
(BYOD) mobility strategies.
• Secure Push Email and PIM: GO!Enterprise Office provides se-
cure access to enterprise email accounts from any mobile device
within the enterprise Workspace. All email and PIM updates are
synchronised using bi-directional push technology and the user
is alerted via push notifications and icon badges.It can also be
integrated with the existing technology such as Microsoft Ex-
change, IBM Domino, Office 365 or other ActiveSync-enabled
email servers.
• File Access, Sharing and Editing: provides easy and secure
mobile access to enterprise file servers and repositories. Mobile
employees perform operations on files and folders according to

the policies defined in the enterprise server such as Sharepoint
or Active Directory.
GO!Enterprise Mobile App Development One of differentiat-
ing features of Globo enterprise solution MADM enables develop-
ment, deployment and management of secure mobile apps. With a
simple and user-friendly development environment, it can produce
cross-platform applications with rich-user interface. Applications
built with GO! Enteprise are deployed in a secure container on the
client side to maintain separation of concerns. It consists of three
main components - GO!AppZone Studio, for rapid, drag-and-drop
development of cross-platform mobile GO!Apps; GO! Enterprise
Workspace, which hosts and renders GO!Apps on mobile devices;
GO!Enterprise Server, a versatile middleware server which enables
secure communication with back-end systems, data synchroniza-
tion and mobile application management. MDM provides organiza-
tions an intuitive, user-friendly way of simplifying the complexities
of supporting a mobile workforce.
Limitation With strong offerings with their solution, Globo still
lags in areas like certificate management and the ability to display
an end-user license or agreement prior to device enrollment, relying
instead on a postenrollment email. This might not be a major con-
cern, however some organization might take interest in recording
explicit user consent prior to device enrollment. Furthemore, Globo
provides its own set of mobile apps which is managed by Go! En-
terprise, but it does not provide any explicit support for public apps
over app store [26].
7.4 MobileIron
Having solutions with a strong focus on mobile IT and security,
scalability, on premise or provisioning through cloud - MobileIron
remains the top leader in the EMM vendor market as published
in the Gartner magic quadrant report [26] . Mobile Iron’s primary
strategy targets enablement of an open ecosystem (devices and ap-
plications) and to protect access and information through server
side functions. It spans multiple platforms and provides an easy
and intuitive management of mobile applications across the enter-
prise. Mobile Iron’s architecture consists of the following major
components [32].
Mobile Device Management - MDM The platform allows IT
administrators to secure and manage applications, grant access to
enterprise specific intranet and internal e-mails to mobile devices.
The solution works on policies enforced from a central entity and
thus the policies defines the access rules assigned to a user. The
MobileIron Platform consists of MobileIron Core, a security and
management policy engine, MobileIron Client that automatically
configures the device to function in an enterprise environment, and
MobileIron Sentry, an intelligent security gateway.
Mobile Application Management - MAM With MAM it is pos-
sible to not only manage the lifecycle of the application but to
make then separate from personal applications as well. Mobile-
Iron’s Apps-at-Work is an enterprise application storefront which
manages both in-house developed apps and third party business
apps that can be delivered to users. The storefront provides security
and a user-friendly interface to seemlessly browse and use enter-
prise specific applications. It consitutes of three main components -
1) Application Distrubution Library - IT administrators can directly
publish private apps to their users, accelerating the app discovery
process for end-users. Administrators can also approve external ap-
plications and distribute them to users, making it clear to employees
that these apps are approved and supported 2) Application Security
and Access Control - It enables to select which applications are re-
quired, allowed, or disallowed and then associate these apps with
rules that specify the consequences of being out of policy 3) Appli-
cation Inventory - provides a snapshot of currently deployed apps
for monitoring purpose [33].
Mobile Content Management - MCM Mobile Iron’s Docs-at-
Work provides a novel way to access and share documents in a se-
cure way. Data loss prevention (DLP) controls are set by IT to pro-
tect documents from unauthorized distribution and end users can be
more productive with integrated editing capabilities. Furthermore,
it controls whether third-party apps can access stored documents
and utilizes policies and permissions set in MobileIron Core. Some
of its primary features include e-mail attachment control, content
repository access and secure content hub [33].
Limitation As reviewed by Gartner, some of the issues with
Mobile Iron include difficulty in monitoring availability and perfor-
mance. There is no link or connection between the on premise and
cloud offering, enterprise has to chose either one of them. Another
issue lies within reporting which is a challenge with MobileIron, in
terms of building customized reports and scheduling [34].
8. Conclusion
In this paper we detailed out the need of mobility in the enterprise
solutions and how Android for Work intends to target it. We ex-
plained the concept of BYOD and how it is helping business to
scale-up their productivity. Also, we mentioned some of the re-
markable features that Android for Work with their respective ben-
efits. Lastly, we discussed about some solution based on Android
for Work. Due to their growing adoption in the market we chose
vendors who have already become success stories and who are cur-
rently gaining a positive attention amongst various organizations.
Due to the closed nature of these solutions, until they are bought,
we were not able to carry out benchmarks as they require a business
domain setup to be tested, hence we have restricted this study de-
scribing their features which gives a concise picture of their offer-
ing and limitations. Android for Work is definitely a bridge between
corporate and personal mobile devices through containerization of
apps (private and business), however there is still much need to be
evaluated against security as the underlying operating system An-
droid is still heavily exploited by users with negative intent. With
this study we could assume that Android for Work will continue to
grow and involve more and more robust features with its advance-
ment.
References
[1] Kopka, H., Daly P.W., A Guide to LaTeX, Addison-Wesley, Reading,
MA, 1999.
[2] Business process with Mobility,
http://www.forbes.com/fdc
[3] BYOD overview - Mobile Iron,
https://www.mobileiron.com/de/losungen/bring-your-own-device
[4] BYOD Trend is ICT Industry’s hottest topic,
http://www.forward-edge.net/bring-own-device-trend-ict-
industrys-312613.html
[5] Android operating system overview,
http://www.openhandsetalliance.com
[6] Android for Work,
http://www.android.com/work
[7] Android For Work productivity for busy professionals
http://www.telegraph.co.uk/technology/google/11436543/
Google-launches-Android-for-Work-to-aid-productivity
-for-busy-professionals.html
[8] Enterprise Mobility Management - Citrix,
https://www.citrix.com/solutions/enterprise-mobility
/overview.html
[9] Android Market Share
http://www.engadget.com/2013/10/31/
strategy-analytics-q3-2013-phone-share/
[10] Samsung Knox

https://www.samsungknox.com/en
http://www.itwire.com/your-it-news/mobility/
59182-samsung’s-knox-blackberry-off-balance
[11] Sandbox
http://www.techhive.com/article/247416
[12] MDM
http://searchmobilecomputing.techtarget.com/definition/
mobile-device-management
[13] Google for Work
https://www.google.com/work/
[14] Android for Work Features
https://support.google.com/work/android/answer/6095397?hl=en
[15] Google Play for Work Features
https://support.google.com/googleplay
[16] Google Apps for Work Products
https://www.google.com/work/apps/business/products/
[17] Distributed Android Apps for your Organization
https://support.google.com/a/answer/2494992?hl=en
[18] Android for Work Security
https://static.googleusercontent.com/media/www.google.com/en/US/
work/android/files/android-for-work-security-white-paper.pdf
[19] Building Android Application
https://developer.android.com/training/enterprise/index.html
[20] OUT OF POCKET - A Comprehensive Mobile Threat Assessment of
7 Million iOS and Android Apps,
https://www2.fireeye.com/rs/fireye/images/rpt-mobile-threat-assessment.pdf
[21] Attacks on Android Apps - A report,
http://www.cnbc.com/id/102462850
[22] OWASP Top 10,
https://www.owasp.org/
[23] Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and
XiaoFeng Wang. The Peril of Fragmentation: Security Hazards in
Android Device Driver Customizations
[24] Top threats and Vulnerabilites in Android OS.
https://appvigil.co/blog/category/vulnerabilities
[25] CITRIX - white paper Enterprise mobility management at your own
pace - a three-phase approach
[26] Gartner: Magic qudrant for Enterprise Mobility Management Suites,
http://www.gartner.com/technology
[27] Absolute Software Canada - resources,
https://www.absolute.com/en-gb/resources
[28] AirWatch white paper - Solution Overview,
http://www.air-watch.com/downloads/brochures/
airwatch-solutions-overview.pdf
[29] AirWatch - Resources,
http://www.air-watch.com/resources/brochures
[30] Globo PlC - white paper,
http://www.globoplc.com/en-GB/white-papers
[31] Globo PlC - resources,
http://www.globoplc.com/en-GB/brochures
[32] MobileIron white paper - Android for Work,
https://www.mobileiron.com/en/solutions/
[33] MobileIron - Products and Offerings,
https://www.mobileiron.com/en/products
[34] Gartner Listings,
http://www.gartner.com/technology/

Android_for_Work

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Android_for_Work

Similar to Android_for_Work (20)

Recently uploaded

Recently uploaded (20)

Android_for_Work